Skip to content

Commit

Permalink
head_errlog: fix use-after-free
Browse files Browse the repository at this point in the history
In the commit of the head_errlog feature we introduced a bug in
dsl_dataset_promote_sync(): we may dereference origin_head and hds, both
dereferencing ddpa after calling promote_sync() on ddpa.

Closes: 16272

Signed-off-by: George Amanakis <[email protected]>
  • Loading branch information
gamanakis committed Jun 27, 2024
1 parent 2eab4f7 commit 406af09
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions module/zfs/dsl_dataset.c
Original file line number Diff line number Diff line change
Expand Up @@ -3710,16 +3710,19 @@ dsl_dataset_promote_sync(void *arg, dmu_tx_t *tx)
spa_history_log_internal_ds(hds, "promote", tx, " ");

dsl_dir_rele(odd, FTAG);
promote_rele(ddpa, FTAG);

/*
* Transfer common error blocks from old head to new head.
* Transfer common error blocks from old head to new head, before
* calling promote_rele() on ddpa since we need to dereference
* origin_head and hds.
*/
if (spa_feature_is_enabled(dp->dp_spa, SPA_FEATURE_HEAD_ERRLOG)) {
uint64_t old_head = origin_head->ds_object;
uint64_t new_head = hds->ds_object;
spa_swap_errlog(dp->dp_spa, new_head, old_head, tx);
}

promote_rele(ddpa, FTAG);
}

/*
Expand Down

0 comments on commit 406af09

Please sign in to comment.